Be aware. Parents can access other children’s photos.

Hi folks, I’m definitely on the mend and have most blog posts for the next week already drafted.  I was going to post tonight about the ICO and their final decision about Baby’s Days / Sys IQ acting illegally and beyond the scope of the Data Protection Act; but I decided to post something more important, especially if you are a current Baby’s Days user.

Last night I received a blog comment from a parent of a child who is on a Baby’s Days subscription owned by a nursery.  The parent is a web developer and wanted to write a script so that photos from the diary would automatically download to his home computer when he ran a programme.

The parent quickly found he was able to access not only his child’s photos but also all of the other children’s photos on the system and also photographs of parents signatures!

From my limited understanding of this, this is because of the way the code is set up.  If you look at the code (which most parents wouldn’t, but they are perfectly entitled to) it provides a “path” if you like, direct to data.  Each parents path should lead them only to their child.  But in this case Baby’s Days had decided to basically remove the “fence” around the paths so that parents could access any path and whatever photos they wanted.

I know most parents provide permission for all parents to see their childs photos so this might not be a big deal to some (!!!) but also you have to remember parents access Baby’s Days on their phones.  If that phone is lost anyone picking it up would have access to the over 100,000 images this nursery has saved.  Also I’m pretty confident parents wouldn’t feel comfortable with anyone being able to save and copy their electronic signature?  Also you have to ask if this could happen with photos could it happen with medical forms or concerns forms?  Would a child be placed in danger by a parent accidentally coming across a “concern” form for example?  These are very important questions that anyone using Baby’s Days really needs to be asking themselves.

The parent contacted Baby’s Days and they were their usually sunny selves and seemed rather blasé about it.  They even said they would put the “fence” back for now so the paths only led to parents children, but they would take the fence down at a later date when they needed to talk to the nursery again?!

I’ve been planning a post for a while now about data security and the fact that Baby’s Days is designed more around security by obscurity, not by design.  Sadly what this parent has discovered is just the tip of the iceberg and as soon as I have more info I will of course be posting it here.

In the meantime if you are still using Baby’s Days please back up your data and think about what sorts of data you are storing there and what it could mean for the children in your care if it fell into the wrong hands.

28 thoughts on “Be aware. Parents can access other children’s photos.”

  1. Mind you on thinking about it. How would a person access that url number if they weren’t logged into system either as a parent or an administrator. So maybe not such a concern after all

    1. A person would know the URL because they would be a parent. I said a parent could access photos of other children. Not random people, but other parents.

      1. Yes but how would they get the URL from the other photos unless they were logged in as the other parent ? Sorry for being thick ?

        1. Don’t be sorry, it’s really complicated to understand and I’m not a techie so it’s even harder for me to explain! Each URL for each child will be something like this:

          https://yourdomain.com/images/sted/gallery_image/diary_14/2015/02/resized/14_9358_1454275242.jpg (child 1s URL)

          From what I can tell the start of each photo, even if it’s a different parent on a different login will have same parts of the URL that are the same as child 1. So child 2 might say:

          https://yourdomain.com/images/sted/gallery_image/diary_15/2015/02/resized/14_9358_1436275242.jpg

          It looks to me the start of each photo has the same URL it’s the end that’s different. So diary_15, probably means diary created in 2015. 2015/02 probably means a diary created in Feb (2nd month) 2015. The image is resized. Then the bit that changes depending on the picture is the end.

          If you wrote a code or got a lucky guess, you could would be able to work out the last part of the URL. When you worked it out, the photo would load. Not a new login screen because you don’t need to login to view direct links to photos.

          Does that explain better?

        2. Also the parent that noticed this was using a system where the files were indexed so he simply navigated to the “photos” folder :)

  2. OMG OMG OMG. I have just tried the above and I can see the photo by using the URL link.

    This is extremely worrying and needs to be spread far and wide :-(

  3. Mark Kahl is claiming today he offered you back access to the system but that you weren’t interested and has a reference number for people to report to the ICO if they have been contacted by you.

    1. Thanks Rather not say, he did offer me back my system via his solicitors, over 1 week after he took it away and over 1 week after I started the blog, after I’d already told all my parents and after he and Kel Thomas had dragged my name through the mud, it’s all on this blog, type legal into the search and you’ll find the posts. He also wanted me to apologise, remove my blog and wouldn’t commit to updating my system any further and he gave me 2 hours on a Friday night to “comply”. Why are people reporting me to the ICO?

  4. Hayley just to inform you that Mark Kahl has responded to this post on the FB group stating that all of the above is untrue and you are just stirring up trouble. He hasn’t addressed any of your points at all however. The admin on that group is also accusing you of pursuing a witch hunt, just thought I’d let you know so you can respond so all his customers can see what the actual truth is rather than his smoke screens.
    Clearly if what you were blogging about was inaccurate he would sue you!

    1. I’ve seen the comments in the ‘support’ group from Kel and from Mark, they have become abusive and are a good example of what a ‘witch hunt’ is, you’ve been called awful names, there is someone threatening to throw things at you if you turn up at the training session, people are also being actively encouraged to report you, and it all seems to be being fuelled by them, funnily enough the megaMinder issue has nicely been forgotten. People are being told you are making it all up and you are libel for slander, surely is this was the case, his solicitors would have forced you to remove the blog by now?

      Im feeling very uncomfortable, this behaviour is shocking especially from a company to do with children. I hope parents see this blog and ask their children’s data be removed, as a parent I’d be very concerned indeed.

  5. This is VERY worrying. Also the fact that now Babydays seem unavailable for comment and are hiding behind Kel (who doesn’t work for them – yeah right!!)

  6. So if an Ofsted inspector has read this blog and comes to inspect me and discovers I use baby’s days could I potentially be downgraded for not keeping my customers’ information secure?

  7. you have made yourself solely responsible for increasing the risk of all parents data being accessed, the chance was minimal that people would have discovered this but now you’ve publicised it, anybody could have a go!

    1. Do you not think babys days are solely responsible for the security risk? Wouldn’t you like to know that your data isn’t as secure as your being told?
      How awful of hayley to bring this to your attention! Quick join the despicable witch hunt on their “unbias” support group!

      Blaming hayley for reporting this is like blaming the journalists who exposed the MPs expenses scandal for it. How dare they open our eyes & make us all aware?!

      Maybe it’s time babys days customers opened their eyes. Mark hasn’t addresses any of the issues at all other than to say it’s all untrue & apparently that’s cleared it all up then! Laughable really.

    2. Surely it is good for customers of the system to be made aware of any potential security breaches? Baby’s Days go on about how wonderful and secure their system is but after reading this blog post I have also tried to access photos from my friends Baby’s Days system and I was able to. I did this purely to see if it could be done and it can. I had no ulterior motive, my friend was aware of what I was doing.
      Now looking at this logically, the chances of it happening are pretty slim, the chances of anybody wanting to do this are also slim, but the fact is that there is a security loophole in the system, there could be many more, and as a user of the system i do want to know about this!
      thank you Hayley, please keep making everyone aware of the truth about the system!

      1. Thanks Anon, glad to see you worked out a way to do it. If you pop over to the Baby’s Days support group on Facebook you might enlighten a few others who are currently branding me a lunatic. The more that know the better. :)

        1. Unfortunately Hayley I was thrown out of the Baby’s Days support group a few months ago for posting about a bug I found in the system! Laughable really!

    3. Sadly Anon noone is paying me £12 a month to keep your data safe. If I wasn’t being called a liar I wouldn’t have had to post this. Better yet if each photo was password protected and “100% secure” I wouldn’t have anything to post at all!

  8. I am extremely concerned by this (and other) posts on this blog, Hayley thank you for sharing and working so had to ensure no other BD users suffer as you have. Very enlightening.
    Is the parent and or nursery going to pursue this with BD do you know? Does this explain why their security rating is only a B? This is providing huge safeguarding issues don’t BD realise this? It would only take one undesirable individual to tap into this loophole for BD to be shut down, utterly appalling. I wouldn’t leave my parents data in there, thank goodness I’m with another provider.
    I will be sharing this blog with my LA and peers.

    1. Thanks for the support Nursery Owner, I’m not sure what the parent is going to do, but hopefully he will let us know via the blog. I also didn’t know their SSL ceriticare was B now, but that is unrelated to this.

  9. Is this really possible? My husband works for a large private health care company as a systems developer and says this would not be possible. How can you view code as a parent without having access to the back end of the system? Could you provide us details of how I can access the back end of the system as a parent so my husband could check this? Thanks

    1. Load up Baby’s Days in a browser, right click the mouse button. You will see ‘view page source’, that’s the easiest way to access some of the code. If you look at the comment left by the parent, you will see Baby’s Days replied to him. This is very true.

        1. It’s not as simple as that Anon, and not every system will ahve this Flaw. Logging in as a test parent will not recreate the error either this is why MArk Kahl s encouraging people to test it themselves.

          What you need to do is go to a child’s gallery. Right click on the photo and you will see a link that says something like “copy image link”. Paste the link into Word. Log out of Baby’s Days. Go into your browser (ie. Firefox) and paste in the URL you just copied. Even though you have logged out of Baby’s Days, you will be able to see the photo!

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>